JH is a hash function submitted to the NIST hash competition (2008--2012) in October 2008. It was selected as a finalist of the competition. There are four JH hash algorithms, namely, JH-224, JH-256, JH-384 and JH-512, constructed from the same compression function. In January 2011, the round number of JH is changed from 35.5 to 42 for better hardware efficiency and larger security margin.

The hash speed of JH is about 19.6 cycles/byte on the mobile Intel Core 2 Duo T6600 2.2GHz processor running 64-bit operating system, and 23.3 cycles/byte for 32-bit operating system (bitslice C implementation with Intel C++ compiler). JH is efficient in hardware since simple components and identical round functions are used.

In the design of JH, we proposed a new structure to design a compression function from a large permutation (bijective function). This new structure is to improve the computational efficiency of Sponge structure so that there is no truncation of the output of the permutation. The security of this structure with respect to differential attack is relatively easy to analyze since there is no extra variable being introduced into the middle of the permutation (round constants instead of round keys are used in this structure).

In the design of JH, we proposed the generalized AES design methodology -- applying SPN (substitution-permutation network) and MDS (maximum-distance separable) code to a multi-dimensional array. Note that AES was designed by extending the one dimensional SHARK cipher to two dimensions. With the generalized AES design method, it would be easy to design a large permutation from small and simple components. In JH, SPN and MDS code are applied to an 8-dimensional array (1024-bit block size, 42 rounds). The design of permuation in JH combines the best features of AES (SPN + MDS) and Serpent (SPN + bitslice).

JH is not covered by any patent and JH is freely-available. We welcome the security analysis of this new hash design. I would like to thank Paul Crowley for independently implementing JH and pointing out errors in my original code and document.

Document: | jh_round3.pdf (January 16, 2011) |

Presentation | slides (The First SHA-3 Candidate Conference, February 2009) |

slides (The Second SHA-3 Candidate Conference, August 2010) |

Non-optimized reference implementation (not bitslice): | jh_ref.h | ||

Non-optimized 32-bit bit-slice reference implementation: | jh_bitslice_ref32.h | ||

Non-optimized 64-bit bit-slice reference implementation: | jh_bitslice_ref64.h | ||

Optimized SSE2 implementation for 64-bit Core 2 processor: | jh_sse2_opt64.h | (January 2011) | |

Optimized SSE2 implementation for 32-bit Core 2 processor: | jh_sse2_opt32.h | (January 2011) | |

Optimized ANSI C implementation for 64-bit Core 2 processor: | jh_ansi_opt64.h | (January 2011) | |

Optimized ANSI C implementation for 32-bit Core 2 processor: | jh_ansi_opt32.h | (January 2011) | |

Optimized ANSI C implementation for 8-bit Core 2 processor: | jh_opt8.h | (January 2011) |

High-speed hardware implementation, by Stefan Tillich et al. (November 2009)

Uniform Evaluation of Hardware Implementations of the Round-Two SHA-3 Candidates, by Stefan Tillich et al. (August 2010)

Comprehensive Comparison of Hardware Performance of Fourteen Round 2 SHA-3 Candidates with 512-bit Outputs Using Field Programmable Gate Arrays, by Kris Gaj et al. (August 2010)

Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations , by Xu Guo et al. (August 2010)

FPGA Implementations of the Round Two SHA-3 Candidates, by Brian Baldwin et al. (August 2010)

Original | (October 31 2008) | |

Round 1 Update | (January 15 2009) | Remarks: correcting a code error when copying a partial block, |

and the mismatach between the number of padding zeros in code | ||

and document. These errors were pointed out by Paul Crowley. | ||

Round 2 | (September 15 2009) | Remarks: No tweak to JH. More introduction material and |

cryptanalysis results are added to the document. | ||

Round 3 | (January 16 2011) | Remarks: JH is tweaked: The round number is changed from 35.5 to 42. |

Details of the cryptanalysis are added to the report. |